Skip to content

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#30

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-2
Closed

Security: Fix CVE-2023-26115 (word-wrap ReDoS)#30
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2023-26115-word-wrap-attempt-2

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2023-26115 by upgrading word-wrap to 1.2.5 using npm overrides.

CVE Details

  • CVE ID: CVE-2023-26115
  • Package: word-wrap
  • Severity: MODERATE (CVSS 5.3)
  • Impact: Regular Expression Denial of Service (ReDoS)
  • Vulnerable versions: <1.2.4
  • Fixed version: 1.2.5
  • Jira Issues: RHOAIENG-427

Fix Implementation

Added npm override in root package.json:

{
  "overrides": {
    "word-wrap": "^1.2.5"
  }
}

Test Results

Status: ✅ All tests passed

Test Discovery: No automated tests were discovered specifically for this fix
Test Command: npm audit
Result: PASSED - CVE no longer appears in npm audit output
Verification: npm list word-wrap confirms version 1.2.5 is installed

Files Changed (4 total)

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Breaking Changes

  • None (pure security patch release)

Testing Checklist

  • Pre-PR vulnerability scan confirms CVE is resolved
  • Verify word-wrap@1.2.5 via npm list word-wrap
  • Confirm npm audit no longer reports CVE-2023-26115
  • All monorepo workspaces updated (root, backend, frontend)
  • Manual testing of affected functionality (if applicable)

Risk Assessment

Risk Factor Level Notes
Breaking Changes None Security patch only
Dependency Conflicts Low word-wrap is a transitive dependency
Regression Risk Low No application code changes
Testing Coverage Medium Vulnerability scan confirms fix, manual testing recommended

References

🤖 Generated by CVE Fixer Workflow
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

@claude
Fix CVE-2023-26115: word-wrap ReDoS Vulnerability
de127a8 
- Add npm override for word-wrap ^1.2.5 to fix CVE-2023-26115
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-427

CVE Details:
- CVE ID: CVE-2023-26115
- Package: word-wrap
- Severity: MODERATE (CVSS 5.3)
- Impact: Regular Expression Denial of Service (ReDoS)
- Vulnerable versions: <1.2.4
- Fixed version: 1.2.5

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- None (pure security patch)

Testing:
- Verified word-wrap@1.2.5 via npm list
- Confirmed CVE no longer in npm audit

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 26, 2026

Closing for fresh test run

@vmrh21 vmrh21 closed this Feb 26, 2026
@vmrh21 vmrh21 deleted the fix/cve-2023-26115-word-wrap-attempt-2 branch February 26, 2026 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21